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Interview Summary 


Application No. 

09/885,427 


Applicant(s) 

MADE, PETER A.J. VAN DER 


Examiner 

Russell L. Guilt 


Art Unit 

2123 





All participants (applicant, applicant's representative, PTO personnel): 

(1 ) Russell L Guill . (3) Steve Wigmore (Applicant's representative) . 

(2) Kevin Teska . (4) . 

Date of Interview: 02 May 2005 . 

Type: a)S Telephonic b)D Video Conference 

c)D Personal [copy given to: 1)D applicant 2)D applicant's representative] 

Exhibit shown or demonstration conducted: d)D Yes e)S No. 
If Yes, brief description: . 

Claim(s) discussed: New independent claims 12. 21. 30 . 

Identification of prior art discussed: . 

Agreement with respect to the claims f)^ was reached. g)D was not reached. h)Q N/A. 

Substance of Interview including description of the general nature of what was agreed to if an agreement was 
reached, or any other comments: Reviewed the claims Agreement was reached regarding claim language to 
overcome 112 and 101 issues. Attached is an annotated copy of the proposed claims . 

(A fuller description, if necessary, and a copy of the amendments which the examiner agreed would render the claims 
allowable, if available, must be attached. Also, where no copy of the amendments that would render the claims 
allowable is available, a summary thereof must be attached.) 

THE FORMAL WRITTEN REPLY TO THE LAST OFFICE ACTION MUST INCLUDE THE SUBSTANCE OF THE 
INTERVIEW. (See MPEP Section 713.04). If a reply to the last Office action has already been filed, APPLICANT IS 
GIVEN ONE MONTH FROM THIS INTERVIEW DATE, OR THE MAILING DATE OF THIS INTERVIEW SUMMARY 
FORM, WHICHEVER IS LATER, TO FILE A STATEMENT OF THE SUBSTANCE OF THE INTERVIEW. See 
Summary of Record of Interview requirements on reverse side or on attached sheet. 



Examiner Note: You must sign this form unless it is an 
Attachment to a signed Office action. 
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Summary of Record of Interview Requirements 
Manual of Patent Examining Procedure (MPEP), Section 713.04, Substance of Interview Must be Made of Record 

A complete written statement as to the substance of any face-to-face, video conference, or telephone interview with regard to an application must be made of record in the 
application whether or not an agreement with the examiner was reached at the interview. 

Title 37 Code of Federal Regulations (CFR) § 1.133 Interviews 
Paragraph (b) 

In every instance where reconsideration is requested in view of an interview with an examiner, a complete written statement of the reasons presented at the interview as 
warranting favorable action must be filed by the applicant An interview does not remove the necessity for reply to Office action as specified in §§ 1.1 11, 1 .135. (35 U.S.C. 132) 

37 CFR §1.2 Business to be transacted in writing. 
All business with the Patent or Trademark Office should be transacted in writing. The personal attendance of applicants or their attorneys or agents at the Patent and 
Trademark Office is unnecessary. The action of the Patent and Trademark Office will be based exclusively on the written record in the Office. No attention will be paid to 
any alleged oral promise, stipulation, or understanding in relation to which there is disagreement or doubt. 



The action of the Patent and Trademark Office cannot be based exclusively on the written record in the Office if that record is itself 
incomplete through the failure to record the substance of interviews. 

It is the responsibility of the applicant or the attorney or agent to make the substance of an interview of record in the application file, unless 
the examiner indicates he or she will do so. It is the examiner's responsibility to see that such a record is made and to correct material inaccuracies 
which bear directly on the question of patentability. 

Examiners must complete an Interview Summary Form for each interview held where a matter of substance has been discussed during the 
interview by checking the appropriate boxes and filling in the blanks. Discussions regarding only procedural matters, directed solely to restriction 
requirements for which interview recordation is otherwise provided for in Section 81 2.01 of the Manual of Patent Examining Procedure, or pointing 
out typographical errors or unreadable script in Office actions or the like, are excluded from the interview recordation procedures below. Where the 
substance of an interview is completely recorded in an Examiners Amendment, no separate Interview Summary Record is required. 

The Interview Summary Form shall be given an appropriate Paper No., placed in the right hand portion of the file, and listed on the 
"Contents" section of the file wrapper. In a personal interview, a duplicate of the Form is given to the applicant (or attorney or agent) at the 
conclusion of the interview. In the case of a telephone or video-conference interview, the copy is mailed to the applicant's correspondence address 
either with or prior to the next official communication. If additional correspondence from the examiner is not likely before an allowance or if other 
circumstances dictate, the Form should be mailed promptly after the interview rather than with the next official communication. 

The Form provides for recordation of the following information: 

- Application Number (Series Code and Serial Number) 

- Name of applicant 

- Name of examiner 

- Date of interview 

- Type of interview (telephonic, video-conference, or personal) 

- Name of participant(s) (applicant, attorney or agent, examiner, other PTO personnel, etc.) 

- An indication whether or not an exhibit was shown or a demonstration conducted 

- An identification of the specific prior art discussed 

- An indication whether an agreement was reached and if so, a description of the general nature of the agreement (may be by 
attachment of a copy of amendments or claims agreed as being allowable). Note: Agreement as to allowability is tentative and does 
not restrict further action by the examiner to the contrary. 

- The signature of the examiner who conducted the interview (if Form is not an attachment to a signed Office action) 

It is desirable that the examiner orally remind the applicant of his or her obligation to record the substance of the interview of each case. It 
should be noted, however, that the Interview Summary Form will not normally be considered a complete and proper recordation of the interview 
unless it includes, or is supplemented by the applicant or the examiner to include, all of the applicable items required below concerning the 
substance of the interview. 

A complete and proper recordation of the substance of any interview should include at least the following applicable items: 

1 ) A brief description of the nature of any exhibit shown or any demonstration conducted, 

2) an identification of the claims discussed, 

3) an identification of the specific prior art discussed, 

4) an identification of the principal proposed amendments of a substantive nature discussed, unless these are already described on the 
Interview Summary Form completed by the Examiner, 

5) a brief identification of the general thrust of the principal arguments presented to the examiner, 

(The identification of arguments need not be lengthy or elaborate. A verbatim or highly detailed description of the arguments is not 
required. The identification of the arguments is sufficient if the general nature or thrust of the principal arguments made to the 
examiner can be understood in the context of the application file. Of course, the applicant may desire to emphasize and fully 
describe those arguments which he or she feels were or might be persuasive to the examiner.) 

6) a general indication of any other pertinent matters discussed, and 

7) if appropriate, the general results or outcome of the interview unless already described in the Interview Summary Form completed by 
the examiner. 

Examiners are expected to carefully review the applicant's record of the substance of an interview. If the record is not complete and 
accurate, the examiner will give the applicant an extendable one month time period to correct the record. 

Examiner to Check for Accuracy 

If the claims are allowable for other reasons of record, the examiner should send a letter setting forth the examiner's version of the 
statement attributed to him or her. If the record is complete and accurate, the examiner should place the indication, "Interview Record OK" on the 
paper recording the substance of the interview along with the date and the examiner's initials. 
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Proposed New Claims for U.S. Patent Application Serial No. 09/885,427 
entitled, "Analytical Virtual Machine" 
K&S File No. 05456.105039 
Attn: Assistant Examiner Guill 
For Telephonic Interview on Monday, May 2, 2005 @ 2:00PM 



0 ( -12. ](New) A 'method for identifying malicious code in a target program, running in a 
^ virtual machine of a computer system, the method comprising: y+sL^t, ey.O«« 



evaluating a file format of the target program; ... c<jk tX*r*s » ^ ^ ***** 

evaluating control fields within a header of a file containing the target program; m ^ 

automatically configuring the virtual machine to execute the target program in 
one of three modes of operation based on the file format and the control fields within the 
header of the file, a first mode of operation, comprising a real mode, a second mode of 
operation for executing target programs comprising a high level programming language, 
and third mode of operation comprising a protected mode for executing target programs 
comprising thirty-two bit code; 

storing behavior flags representing behavior of the target program during 
execution of the target program by the virtual machine; 

storing a sequence in which the behavior flags are set by the target progran ^fjj^? 
sCaigCUpiUgn ^ during execution of the target program by the virtual machine; 

passing behavior flag data and sequence flag data to the computer system for 
evaluation after execution of the target program by the virtual machine; and 

terminating the virtual machine after execution of the target program, thereby 
removing from the. computer system a copy of the target program that was contained 
within the virtual machine. 

13. (New) The method of Claim 12, further comprising evaluating the behavior flag data 
with the computer system. 

14. (New) The method of Claim 12, further comprising initializing the virtual machine 
within the computer system, the virtual machine comprising a virtual computer 
implemented by software simulating functionality of a central processing unit and 
memory and a virtual operating system simulating functionality of an operating system of 
the computer system. 
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Application Serial No. 09/885,427 
DRAFT / PROPOSED CLAIMS 



15. (New) The method of Claim 12, further comprising identifying a type of operating 
system intended for the target program thatis to be executed by the virtual' machine. * . 

16. (New) The method of Claim 12, further comprising initializing the. virtual machine ; 
by constructing the virtual machine out of a number of layered shells. 

17. (New) The method of Claim 16, further comprising configuring the shells based 
upon a format of the target program. 

18. (New) The method of Claim 12, wherein the virtual machine executes the target 
program starting at each entry point defined within an entry point table. 

19. (New) The method of Claim 12, further comprising loading a software CPU shell 
when the virtual machine operates in the first and third modes of operation. * t , 

20. (New) The method of Claim 12, further comprising loading a language interpreter 
when the virtual machine operates in the second mode of operation 
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21.")(New) A computer system for discovering malicious code in a target program, 
comprising: 

7 a processing unit; 

a memory storage device^and 
. one or more program modu^s stored in said memory storage device for providing 
instructions to said processing unit; 

said processing uniWt^^isiVB^^aid instructions of said one or more program 
modules, operable for "fe 6J(< 

evaluating a file format of th& target program; 

evaluating control fields withi^ a header of a file containing the target 

program; 

automatically configuring a virtual haachine to execute the target program 
in one of three modes of operation based on the fileVormat and the control fields within 
the header of the file, a first mode of operation comprising a real mode, a second mode of . 
operation for executing target programs comprising a h$jh level programming language, 
and third mode of operation for executing target programs comprising thirty-two bit code; 

storing behavior flags representing behavior d^the target program during 
execution of the target prdgram by the virtual machine; 

storing a sequence in which the behavior flags We set by the target 
program pf4h^targ^ptogram during execution of the targe^ program by the virtual 
machine; 

passing, behavior flag data and sequence flag data .to &e1S$mputer system 
after execution of the target program by the virtual machine; and ^C*"""^ • \ \ 

evaluating the behavior flag data and sequence flag data with the computer 

system. 

ew) The system of Claim 21, wherein the processing unit is further operable for 
erminating the virtual machine after execution of the target program, thereby removing 
from the computer system a copy of the target program that was contained within the 
virtual machine. 
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23. (New) The system of Claim 21, wherein the virtual machine comprises a virtual 
computer implemented by the one or more programs simulating functionality of a central . 
processing unit and memory aticLa virtual operating system simulating functionality of an 
operating system of the computer system. 

24. (New) The system of Claim 21, wherein the processing unit is further operable for 
identifying a type of operating system intended for the target program that is to be 
executed by the virtual machine. 

25. (New) The system of Claim 21, wherein the processing unit is further operable for 
initializing the virtual machine by constructing the virtual machine out of a number of 
layered shells. 

26. (New) The system of Claim 25, wherein the processing unit is further operable for 
configuring the shells based upon a format of the target program, 

27. (New) The system of Claim 21, wherein the virtual machine executes the target 
program starting at each entry point defined within an entry point table. 

28. (New) The system of Claim 21, wherein the processing unit is further operable for 
loading a software CPU shell when the virtual machine operates in the first and second 
modes of operation. 

29. (New) The system of Claim 21, wherein the processing unit is further operable for 
loading a language interpreter when the virtual machine operates in the second mode of 
operation. 
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C-3(W^(New) A computer-implemented method for identifying malicious code in a target 

program comprising: 

automatically configuring a virtual machine to execute the target program in one 

$^^f S of three modes of operation, a first mode of operation simulating an operating system, a 

\(+^ Y2^ secon ^ m °de of operation for executing a target program comprising a high level 

'^ps*** [ programming language, and third mode of operation for executing a target program 

comprising thirty-two bit code; 

storing behavior flags representing behavior of the target program during 

execution of the target program by the virtual machine; 

storing a sequence in which the behavior flags are set by the target program of Oiir 

t ggtl piugiJffi during execution of the target program by the virtual machine; 

passing behavior flag data and sequence flag data to tKS^S^uter: system after 

execution of the target program by the virtual machine; and 

terminating the virtual machine after execution of the target program, thereby 

removing from the computer system a copy of the target program that was contained 

within the virtual machine. 

31. (New) The computer-implemented method of Claim 30, further comprising 
evaluating a file format of the target program. 
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